ACCORDING to Known Exploited Vulnerabilities Catalog, CVE-2026-3909 is a Google Skia out-of-bounds write vulnerability that could allow a remote attacker to perform memory access via a crafted HTML page. This flaw affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products, with a related CWE of 787. The entry notes that it is unknown whether it has been used in ransomware campaigns.
Action items include applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the affected product if mitigations are unavailable. The vulnerability was added to the catalog on 13 March 2026, with a due date of 27 March 2026. Additional information points to a Chrome releases blog and the NIST NVD entry for CVE-2026-3909.